They're not really competing certifications
I get this question constantly, and the honest answer is that CISSP and Security+ aren't competing for the same spot on your CV — they sit at completely different career stages. Security+ is an entry-level, vendor-neutral credential aimed at people getting into cyber security. CISSP is a senior-level management and architecture certification from ISC2 that requires years of paid work experience to even earn the full designation. Comparing them head-to-head is a bit like comparing a driving test to an HGV licence — related field, very different level.
If you're asking this question because you're brand new to the field, the answer is simple: Security+ first, always. CISSP isn't reachable yet, and even if it were, it wouldn't be the right credential for where you are.
The experience requirement most people miss
This is the detail that trips people up: CISSP requires a minimum of five years of cumulative, paid work experience in at least two of the eight CISSP domains (one year can be waived with a relevant degree or another approved certification). You can sit and pass the exam without that experience and become an "Associate of ISC2," but you don't get the full CISSP designation until the experience requirement is satisfied and endorsed. Security+ has no such requirement — you can sit it on day one of your career.
That's the practical reason most people need Security+, or an equivalent foundation, long before CISSP is even relevant to their situation. It also explains why job adverts asking for "CISSP or equivalent, 5+ years' experience" look nothing like the entry-level postings that mention Security+ — they're not aimed at the same candidate at all, and treating them as rungs on the same short ladder sets unrealistic expectations either way.
Side-by-side
| Security+ (SY0-701) | CISSP | |
|---|---|---|
| Level | Entry-level | Senior / management |
| Body | CompTIA | ISC2 |
| Experience required | None | 5 years (with waivers) |
| Focus | Technical fundamentals | Security management, governance, architecture |
| Typical holder | Junior analyst, career changer | Security manager, architect, CISO-track |
| Renewal | Continuing education | Continuing education (CPEs) |
What I tell students who want to skip straight to CISSP
Occasionally I get a student, usually a career changer coming from a senior role in another field — programme management, engineering leadership, military — who wants to go straight for CISSP because it looks like the "top" certification. I tell them the same thing every time: CISSP tests breadth of security management knowledge across eight domains, and without any grounding in the technical fundamentals, you'll be memorising concepts you've never actually seen applied. That's a much harder, much less durable way to learn, and it doesn't help you if you can't get past the experience requirement to hold the full credential anyway.
Build the technical foundation first — Security+ or equivalent, ideally with some hands-on practice — then let CISSP be the credential that formalises management-level knowledge once you're actually operating at that level. I say this as someone who holds CISSP: the exam rewards judgement built from real decisions you've had to make under pressure — a live incident, a budget trade-off, a policy exception nobody wanted to sign off. Without that backlog of experience to draw on, you're memorising abstractions instead of recognising patterns you already know, and that's a much slower, much less reliable way to prepare.
A sensible order
- Security+ (or ISC2 CC) — foundational vocabulary and concepts.
- Hands-on experience — an analyst role, a hands-on credential like BTL1, practical projects.
- A specialisation — cloud security, blue team, GRC, depending on where your career goes.
- CISSP — once you're accumulating the years of experience and moving toward management or architecture responsibility.
If you're not sure CISSP is worth the effort even once you qualify for it, I've written the case for and against separately: is CISSP worth it. And if you want the fuller picture of where Security+ sits before any of this, see is Security+ worth it.
FAQ
Can I get CISSP without any work experience?
You can pass the exam and become an ISC2 Associate, working toward the full CISSP designation as you accumulate the required experience. You can't hold the full CISSP credential without it.
Is CISSP harder than Security+?
Yes, but not just because of content difficulty — CISSP tests breadth and judgement across security management topics, which is harder to cram than Security+'s more definable, technical objectives.
Should career changers go for CISSP directly?
Only if you already have years of relevant experience from adjacent fields that ISC2 will credit — for example, IT risk, audit, or programme management roles with real security content. Otherwise, build the foundation first.
Does Security+ count toward CISSP's experience requirement?
Security+ itself doesn't count as work experience, but CompTIA has agreements that let certain CompTIA certifications satisfy one year of the CISSP experience waiver — check ISC2's official page for the current list, since these arrangements change.
Not sure which of these actually matches where you are right now? Book a trial lesson and we'll map out the realistic next step rather than the aspirational one.